Link Redirect Mayhem, Help Please???

**RodneyS10** · 20-11-2008

Hello,

I am having a major problem on my computer. Every time I start it up and go to google or any search engines and type something in, for example SUPERAntiSpyware, I get links, but when I click on them, I get redirected to other search sites. I cannot even download SUPERAntiSpyware or even go to the website SUPERAntispyware.com.

I also tried putting the program on my USB Pin Drive from my laptop to my computer, and the program SUPERAntiSpyware does not open and it gives me an error. Its like there is some kind of spyware installed that is preventing me from doing this. I tried other websites and scanners and nothing seems to work.

I am running ESET Nod32 Antivirus and Windows XP is my operating system.

Also, you won't believe this, but I cannot seem to get to download highjackthis to post something for you guys. What do I do??? Sometimes the computer freezes and won't respond so I have to restart it using the power button and holding it down.

I even tried transfering the file highjackthis through a USB Pin Drive and it won't install....

I am running out of ideas and these redirect links are driving me nuts... any help would be awesome.

Thanks a lot,

Rodney

**Neal** · 21-11-2008

On a different computer, rename hijackthis.exe to something else like foolyou.exe and try to get me a log that way. You can also try renameing super antispyware.

**RodneyS10** · 23-11-2008

That is not a bad idea at all... Thanks, I will try that and get back to you with the info. I cannot get into the office till monday, so I will let you know then. I appreciate the help.

**Neal** · 25-11-2008

okey dokey then let us know.

**RodneyS10** · 26-11-2008

The renaming of the hijackthis file worked and I got the log below for you as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:24 PM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1224108703437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1224108739375
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

--
End of file - 4379 bytes

**RodneyS10** · 26-11-2008

I also tried renaming SuperAntiSpyware and it did not find anything except for cookies. I really appreciate your help in this matter.

Thanks Again

**Neal** · 28-11-2008

Hijackthis log is clean, unfortunately.

Next tool:

During the download, rename Combofix to Combo-Fix as follows: Notice the hyphen

Visit this page below to familiarize yourself to the tool below and download from one of the links provided.

A guide and tutorial on using ComboFix

If you have previously downloaded ComboFix,please delete that version now.

It is IMPORTANT that it is saved directly to your desktop

Close any open browsers.

Disconnect from the Internet.

Please do not re-connect your machine back to the Internet until Combofix has completely finished.

Disable your antivirus program and any realtime malware scanners and script blockers now

How To Disable

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note:
Do not mouseclick combofix's window while it's running.

That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Re-enable your anti-virus and re-connect back to the internet and post the combofix log.

*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

ComboFix SHOULD NOT be used unless requested by a forum helper.

**RodneyS10** · 04-12-2008

Below is the ComboFix log like you asked. It took away the problem of the redirecting, but the computer freezes sometimes on startup... Maybe you can tell me what the log says.

Thanks for all your help in this matter.

ComboFix 08-12-02.02 - user 2008-12-03 17:19:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2957 [GMT -6:00]

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ieupdates.exe.tmp
c:\windows\system32\TDSSoeqh.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-11-25 17:44 . 2008-11-25 17:44 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 18:58 . 2008-11-24 18:58 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-23 09:28 . 2008-11-25 18:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-19 23:47 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-19 23:45 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-19 22:12 . 2008-11-19 22:12 <DIR> d-------- c:\documents and settings\user\Application Data\Grisoft
2008-11-19 22:09 . 2008-11-19 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-19 21:14 . 2008-11-19 21:14 <DIR> d-------- c:\documents and settings\Administrator
2008-11-19 20:55 . 2008-11-19 23:29 <DIR> d-------- C:\fixwareout
2008-11-19 20:48 . 2008-11-19 20:48 0 --a------ c:\windows\nsreg.dat
2008-11-19 20:32 . 2008-03-03 14:25 5,702 --ah----- c:\windows\nod32restoretemdono.reg
2008-11-19 20:32 . 2008-03-03 18:21 568 --ah----- c:\windows\nod32fixtemdono.reg
2008-11-19 20:28 . 2008-11-19 20:28 <DIR> d-------- c:\program files\ESET
2008-11-19 20:28 . 2008-11-19 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-18 16:53 . 2008-11-18 16:53 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2008-11-18 16:18 . 2008-11-18 16:18 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2008-11-18 16:05 . 2008-11-19 18:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-18 14:01 . 2008-11-18 14:01 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-11-18 14:01 . 2008-11-18 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-13 17:35 . 2008-11-13 17:35 <DIR> d-------- C:\EXPORT
2008-11-04 16:31 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-04 16:30 . 2008-11-04 16:30 <DIR> d-------- c:\program files\MSBuild
2008-11-04 16:30 . 2008-11-04 16:30 <DIR> d-------- c:\program files\Microsoft Works
2008-11-04 16:27 . 2008-11-04 16:27 <DIR> d-------- c:\windows\SHELLNEW
2008-11-04 16:26 . 2008-11-04 16:26 <DIR> dr-h----- C:\MSOCache
2008-11-04 16:26 . 2008-11-20 03:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 17:32 . 2008-11-25 18:38 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-03 17:32 . 2008-11-25 17:45 <DIR> d-------- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-11-03 17:32 . 2008-11-03 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-03 17:05 . 2008-11-19 17:50 <DIR> d-------- c:\program files\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-02 19:17 --------- d-----w c:\program files\ClickStrip
2008-12-02 00:54 --------- d-----w c:\program files\ClienTrak
2008-11-03 23:03 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-29 00:11 --------- d-----w c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B 320485DF8CE.1
2008-10-28 17:03 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 19:33 --------- d-----w c:\program files\Customer Appointment Manager
2008-10-18 17:47 --------- d-----w c:\program files\Common Files\Smead
2008-10-16 15:05 315,392 ----a-w c:\windows\HideWin.exe
2008-10-16 15:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 15:05 --------- d-----w c:\program files\Realtek
2008-10-16 15:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-16 02:14 --------- d-----w c:\program files\HP Wireless Keyboard
2008-10-16 02:13 --------- d-----w c:\program files\CONEXANT
2008-10-15 20:28 --------- d-----w c:\program files\Intel
2008-10-15 19:59 --------- d-----w c:\documents and settings\user\Application Data\InstallShield
2008-10-15 19:12 --------- d-----w c:\documents and settings\All Users\Application Data\Geek Squad
2008-10-15 19:01 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\b90dca20-140f-4d35-b109-5d2d07eabcd1.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfw tdir.sys [2008-02-20 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-02-20 472320]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2006-02-28 3584]

*Newly Created Service* - TDSSSERV.SYS
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVP - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 17:28:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

************************************************** ************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\T DSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqxt .sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
.
************************************************** ************************
.
Completion time: 2008-12-03 17:29:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 23:28:59

Pre-Run: 722,584,920,064 bytes free
Post-Run: 722,597,646,336 bytes free

131 --- E O F --- 2008-11-20 09:05:59

**RodneyS10** · 04-12-2008

Here is the second one I ran because the computer kept freezing.

ComboFix 08-12-02.02 - user 2008-12-03 17:40:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2952 [GMT -6:00]
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\TDSSmqxt.sys
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmqlt.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoeqh.dll
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dll
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.log
c:\windows\system32\TDSSxfum.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-11-25 17:44 . 2008-11-25 17:44 <DIR> d-------- c:\program files\Trend Micro
2008-11-24 18:58 . 2008-11-24 18:58 <DIR> d-------- c:\windows\system32\LogFiles
2008-11-23 09:28 . 2008-11-25 18:42 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-19 23:47 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-19 23:45 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-19 22:12 . 2008-11-19 22:12 <DIR> d-------- c:\documents and settings\user\Application Data\Grisoft
2008-11-19 22:09 . 2008-11-19 22:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Grisoft
2008-11-19 21:14 . 2008-11-19 21:14 <DIR> d-------- c:\documents and settings\Administrator
2008-11-19 20:55 . 2008-11-19 23:29 <DIR> d-------- C:\fixwareout
2008-11-19 20:48 . 2008-11-19 20:48 0 --a------ c:\windows\nsreg.dat
2008-11-19 20:32 . 2008-03-03 14:25 5,702 --ah----- c:\windows\nod32restoretemdono.reg
2008-11-19 20:32 . 2008-03-03 18:21 568 --ah----- c:\windows\nod32fixtemdono.reg
2008-11-19 20:28 . 2008-11-19 20:28 <DIR> d-------- c:\program files\ESET
2008-11-19 20:28 . 2008-11-19 20:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-11-18 16:53 . 2008-11-18 16:53 <DIR> d-------- c:\documents and settings\LocalService\Application Data\Webroot
2008-11-18 16:18 . 2008-11-18 16:18 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Webroot
2008-11-18 16:05 . 2008-11-19 18:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-18 14:01 . 2008-11-18 14:01 <DIR> d-------- c:\documents and settings\user\Application Data\Malwarebytes
2008-11-18 14:01 . 2008-11-18 14:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-13 17:35 . 2008-11-13 17:35 <DIR> d-------- C:\EXPORT
2008-11-04 16:31 . 2006-10-26 19:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-11-04 16:30 . 2008-11-04 16:30 <DIR> d-------- c:\program files\MSBuild
2008-11-04 16:30 . 2008-11-04 16:30 <DIR> d-------- c:\program files\Microsoft Works
2008-11-04 16:27 . 2008-11-04 16:27 <DIR> d-------- c:\windows\SHELLNEW
2008-11-04 16:26 . 2008-11-04 16:26 <DIR> dr-h----- C:\MSOCache
2008-11-04 16:26 . 2008-11-20 03:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 17:32 . 2008-11-25 18:38 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-11-03 17:32 . 2008-11-25 17:45 <DIR> d-------- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2008-11-03 17:32 . 2008-11-03 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-11-03 17:05 . 2008-11-19 17:50 <DIR> d-------- c:\program files\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-12-02 19:17 --------- d-----w c:\program files\ClickStrip
2008-12-02 00:54 --------- d-----w c:\program files\ClienTrak
2008-11-03 23:03 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-10-29 00:11 --------- d-----w c:\documents and settings\user\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B 320485DF8CE.1
2008-10-28 17:03 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-21 19:33 --------- d-----w c:\program files\Customer Appointment Manager
2008-10-18 17:47 --------- d-----w c:\program files\Common Files\Smead
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 15:05 315,392 ----a-w c:\windows\HideWin.exe
2008-10-16 15:05 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-16 15:05 --------- d-----w c:\program files\Realtek
2008-10-16 15:05 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-16 02:14 --------- d-----w c:\program files\HP Wireless Keyboard
2008-10-16 02:13 --------- d-----w c:\program files\CONEXANT
2008-10-15 20:28 --------- d-----w c:\program files\Intel
2008-10-15 19:59 --------- d-----w c:\documents and settings\user\Application Data\InstallShield
2008-10-15 19:12 --------- d-----w c:\documents and settings\All Users\Application Data\Geek Squad
2008-10-15 19:01 --------- d-----w c:\program files\microsoft frontpage
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:05 593,920 ------w c:\windows\system32\ati2sgag.exe
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\b90dca20-140f-4d35-b109-5d2d07eabcd1.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 01:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfw tdir.sys [2008-02-20 33800]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe" [2008-02-20 472320]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys []
S2 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe /s c:\windows\nod32fixtemdono.reg [2006-02-28 3584]
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 17:41:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\T DSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSmqxt .sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-03 17:42:17
ComboFix-quarantined-files.txt 2008-12-03 23:42:05
ComboFix2.txt 2008-12-03 23:29:02

Pre-Run: 722,604,810,240 bytes free
Post-Run: 722,595,708,928 bytes free

166 --- E O F --- 2008-11-20 09:05:59

Everything runs pretty much perfect now... ComboFix DID IT!!!

Thanks for your help, please let me know if you see something not right in the log file.

Thanks a lot.

Rodney

**Neal** · 05-12-2008

EVerything looks good on this end.

Link Redirect Mayhem, Help Please???

Link Redirect Mayhem, Help Please???

Similar Threads

redirect

redirect

get redirect

cannot redirect

Microphone Mayhem